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ABSTRACT 


Wireless networking is a rapidly emerging technology and security must be 
addressed as it is incorporated into new and existing local area networks (LANs). It is 
important to know what unique properties of wireless LANs mi^t amplify existing LAN 
vulnerabilities or introduce new ones. 

Wireless transmission techmques, topologies, and vendor offerings were surveyed 
from a security perspective. Three rating ^sterns were developed to analyze aspects of 
these survey areas. These areas were then rated using these systems and graphically 
displayed on Kiviat drawings to show symmetric comparisons of each analysis category. 

Frequency hopping spread spectrum (FHSS) transmission technology, cellular 
topology, and the Jaguar product emerge as the best current approaches available. These 
results are applied to a case study that examines network wired segment replacement 
options, wireless segment attacks, and methods to detect an attacker. Current standards 
offer guidance that dictate how wireless technologies must operate, but do not relate to 
principles of LAN design. Our stu<iy and rating system results provide guidance for 
creating a network topology. The case stucfy demonstrated that care must be taken in 
choosing wireless network segments. This work should help ^stem Administrators by 
providing examples of good and bad choices. 
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I. INTRODUCTION 


A. WIRELESS LOCAL AREA NETWORKS 

Wireless local area networks (WLANs) are a new alternative to traditional hard 
wired local area networks (LANs). They use radio frequency (RF) or infrared (IR) 
transmissions to communicate information from one point to another and do not rely on 
physical connections. A typical WLAN configuration includes a transceiver 
(transmitter/receiver) called an access point (AP) connected to the wired network using 
standard cabling. An access point antenna is mounted anywhere practical to obtain 
desired coverage. End users access the WLAN through adapters, such as notebcwk PC 
cards, that interface between the client network operating ystem (NOS) and the user. 

1. Advantages of wireless over wired 

WLAN technologies have been available since 1980, but the increasing number of 
portable computers has heightened the need for this technology. These ystems allow 
users to access shared information without physically “plugging into” a network, so LAN 
managers can set up or augment their networks without installing new wires. Advantages 
offered by WLANs are mobility, low installation costs, installation speed, and scalability. 

a. Mobility 

WLANs can provide continuous network access to users within their 
organization thus supporting productivity not possible with wired networks. People can 
physically move their node (computer) without breaking their virtual network 
connection. This will be termed “roaming”. 

& Lo-w Installation Costs 

WLANs offer an advantage over wired LANs where the physical makeup 
of a building makes it difficult to route wire. Not routing wire yields lower installation 
costs and quicker setup times. Overall life-cycle costs are also lowered, because there 
are fewer cables to replace during future upgrades. 
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c Installation Speed 

Installing a wireless LAN ^stem is faster than installing a hard wired 
^stem. The need to pull wire throu^ walls and ceilings is eliminated. Small 
transceiver type devices are attached to mobile users and the network effectively linking 
^stem resources. Wireless technology allows the network to go where wire cannot go. 

d. Scalability 

Hardware peripherals can be added to the network to serve additional 
wireless clients. Once the number of clients reach their maximum, extra APs and 
extension points can be installed to acconunodate these users. 

2. Department of Defense Applications 

Wireless technology can be used in Department of Defense (DoD) applications. 
Wireless networks can be used in combination with cabled LANs: machines requiring 
mobility are connected wirelessly, while others remain hard wired. Wireless computing 
has the potential to reduce costs of routing and maintaining cable and associated 
hardware peripherals. It can also be configured in a variety of topologies to meet specific 
application needs. These topologies range from peer-to-peer, suitable for a small number 
of users, to full infrastructures encompassing thousands of users. WLANs frequently 
augment, rather than replace, wired LANs, often providing the final few meters of 
connectivity between a wired network and the mobile user. 

B. PROBLEM STATEMENT 

Protecting WLANs from attack by malicious hackers and unauthorized users is a 
problem. Architectural considerations for the inclusion of wireless components into hard 
wired networks must be addressed. Administrative security and the protection of data 
should be considered during initial tystem planning. 

C. THESIS OVERVIEW 

Flexibility and mobility make wireless LANs both effective extensions to and 
attractive alternatives for wired networks. WLANs provide all of the connection 
functionality of wired LANs without the spatial constraints of a physically wired system. 
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Their configurations range from simple peer-to-peer topologies to complex architectures 
all offering the benefits of roaming. They offer both end-user mobility and network 
portability. 

Security within information systems is vital to protecting data against exploitation 
from outside sources. DoD WLAN goals can be addressed by first understanding 
available technologies and how they may be used securely, and then choosing appropriate 
vendors to supply the equipment. 

Available wireless technologies will be examined to better understand how their 
use might increase the threat to security. An evaluation of their advantages and 
disadvantages will show their architectural strengths and weaknesses. These 
technologies encompass multiple transmission techniques, general security differences, 
and applicable standards. A final evaluation narrows the field of possible topology and 
vendor candidates suitable for DoD architectures. 

This paper will survQ^ various technologies used to build WLANs in Chapter Two 
and how WLANs can be protected. Types of attacks and methods to combat them are 
explored in Chapter Three, culminating in an analytical survey of acceptable WLAN 
component combinations in Chapter Four. This information provides the basis for a case 
stu(ty, also in Chapter Four, of a typical LAN found at the Naval Postgraduate School. It 
shows the options available for replacing hard wired segments with wireless. Chapter 
Five presents final conclusions and discussions. 
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n. BACKGROUND 


Hard wired LANs are used for sharing computer resources and providing 
connectivity. The WLAN provides an alternative to traditional twisted pair, coaxial 
cable, and optical fiber based networks. WLANs perform the same function as wired 
LANs by conveying information among networked devices, but operate without attached 
physical cabling between nodes. TTiq^ can be implemented as an extension to, or an 
alternative for, a wired LAN. WLANs use radio frequency (RF) and Infrared (IR) 
technology for intercomponent communication. They minimize the need for wired 
connections and combine data connectivity with user mobility. This ch^ter will show 
the transmission, topology, and vendor technologies available to build a WLAN. 

A. TECHNOLOGY OVERVIEW; WIRELESS TRANSMISSION 

TECHNIQUES 

Wireless LANs were introduced in 1980.1 Transmission types include 
narrowband microwave, infrared, or spread ^ectrum technologies. Each technology has 
its advantages and limitations. They are described below. 

1. Narrowband Microwave 

During radio frequent^ transmissions, RF data is superimposed (modulated) onto 
an outgoing radio carrier and then extracted at the receiving end. The radio receiver 
tunes in one radio frequency while rgecting all others. Multiple radio carriers can 
coexist without interference if the signals are transmitted at different frequencies. 
Narrowband radio ^sterns transmit and receive information on specific radio frequencies 
and are used to interconnect LANs between buildings. They require line-of-sight antenna 
dishes on both ends of the link. The transmitter encodes an input signal that is mixed 
with a constant frequency known as the "carrier". The receiver filters out this carrier 
signal to recover the original data. Narrowband radio keeps the signal frequency within a 
small specified range. Undesirable crosstalk between communications channels is 

ISami Uskela, in Wireless Local Area Nelwo'ks tcxahit&li^maatrVk.- 

110.501/ 1997/wirdess_lan Jitml#Integntyan<iConfidaitiality) 
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avoided by carefully coordinating different users on different channel frequencies. 
Communication privacy and noninterference are accomplished by using separate radio 
frequencies. The radio receiver filters out all radio signals except those on its designated 
frequency.2 


a. A dvantages 

Narrowband microwave radio antennas bypass telephone company lines, 
so the cost of phone line service is avoided. The antenna itself costs very little, but prices 
vary depending on size and wattage requirements. Unlike IR, its signal is not easily 
blocked by physical structures. 

b. Disadvantages 

Narrowband technology is susceptible to interference and is therefore 
individually licensed by the FCC to prevent other systems from operating at the same 
frequency in a particular area. Once a site license is granted that frequency band cannot 
be licensed anywhere else within a 17.5 mile radius. Also, if the frequency is known to a 
third party, communications can be intercepted. 

2. Infrared 

Infrared uses the same technology as television remote control imits. IR signals 
transmit data between nodes using either a point-to-point or a sim-and-moon 
configuration (signals are diffused by reflecting them off of a surface). IR ystems use 
very high frequencies j ust below those of visible light in the electromagnetic spectrum. 
Like light, IR cannot penetrate opaque olgects. It is either directed (line-of-sight) or 
reflected.^ 


^Proxim, What is a J?^efes5Z./4iy.^(http //www.wirelesslan.com/wirelessO. 
3 Ibid. 
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a. Advantages 


IR is not bandwidth limited and can be used to transmit at speeds greater 
than 50 Mbps. Range security is inherent due to its inability to penetrate solid obj ects. 
IR also does not require an FCC license. 

b. Disadvantages 

Infrared’s easy obstruction also acts as a disadvantage wiien installed in a 
space with many obstacles. Similarly, its limited range acts as a disadvantage when the 
WLAN is needed over a large area. Inexpensive tystems provide approximately three 
feet of coverage and are typically used for personal area networks. High performance IR 
is impractical for mobile users and is therefore used in fixed sub-networks. Diffused 
(reflected) IR does not require line-of-sight, but cells are limited to individual rooms. 

3. Spread Spectrum 

Most wireless LANs use q)read-spectrum technology. It is a wideband RF 
technique developed by the military for reliable, secure, mission-critical communications 
systems. It was initially created to avoid) amming and eavesdropping of signals. Spread 
spectrum exchanges bandwidth efficiencty for reliability, integrity, and security. It 
spreads the signal over a range of frequencies consisting of the industrial, scientific, and 
medical (ISM) electromagnetic spectrum bands. It avoids concentrating power into a 
single narrow frequency band. This “spreading” makes the signal appear like noise 
making the signal bandwidth much larger than that of the original signal. More 
bandwidth is consumed than in a narrowband transmission, but the tradeoff produces a 
louder signal that is easier to detect. Spread spectrum frequency bands include frequency 
ranges at 902 MHz to 928 MHz and 2.4 GHz to 2.484 GHz. The 2.4 GHz range is 
available worldwide which provides convenient high speed wireless capabilities to users. 
The FCC regulates the frequency band used by spread spectrum, but does not require 
individual licensing for local coverage areas. Products developed for xmlicensedFCC use 
must employ one of the two spread spectrum technologies; frequency hopping and direct 
sequence.'^ 


^Ibid. 
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(L Frequency Hopping Spread Spectrum 

Frequency hopping spread spectrum (FHSS) transmits short radio bursts 
on one frequency then randomly "hops" to another for the next short burst. The carrier 
signal changes frequency in a pattern known to both transmitter and receiver. The 
transmission source and destination must also be ^nchronized, so they are on the same 
frequency simultaneously. A transmitted message can only be fully received if the series 
of frequencies is known, because only the intended receiver knows the transmitters 
hopping sequence. To an unintended receiver, FHSS appears to be short-duration 
impulse noises. Any radio with a digitally controlled frequency qmthesizer can be 
converted to a frequency hopping radio. This conversion requires the addition of a 
pseudo noise (PN) code generator to select the frequencies for transmission or reception. 
Most hopping ^sterns use uniform frequency hopping over a band of frequencies. This 
is not absolutely necessary if both the transmitter and receiver know in advance what 
frequencies are to be skipped. A frequency hopped system can use analog or digital 
carrier modulation. Most vendors develop their own hopping-sequence algorithms which 
significantly reduces the likelihood that two transmitters will not hop to the same 
frequency at the same time.^ 

1) . Federal Communication Commission Guidelines. 

Hopping patterns and dwell times (time at each frequency) are restricted. The Federal 
Communication Commission (FCC) requires that 75 or more frequencies be used at a 
maximum dwell time of 400 ms. If interference occurs on one frequency the data are 
retransmitted on a subsequent hop to another frequency^. Each chaimel consists of a 
frequency width also determined by the FCC. They require that all transmitters not spend 
more than 0.4 seconds on any one channel every 20 seconds in the 902 MHz band and 
every 30 seconds in the 2.4 GHz band. They fiuther require that transmitters hop throu^ 
at least 50 channels in the 902 MHz band and 75 chaimels in the 2.4 GHz band. 

2) . IEEE 802.11. IEEE 802.11 limits frequency hopping 

spread spectrum transmitters to the 2.4-GHz band. 

3) . The market for frequency hopping spread spectmm. 

All FHSS products allow the use of more than one chaimel in the same area by 


^ Ibid. 
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implementing separate channels on different hopping sequences. This allows for many 
non-overlapping channels. 

b. Direct Sequence Spread Spectrum (pseudonoise) 

Direct sequence spread spectrum (DSSS) avoids excessive power 
concentration by spreading the signal over a wider frequaicy band. The data signal is 
modified by a wideband spreading signal that the receiver interprets to obtain the original 
signal. DSSS transmitters spread their signal by mapping data into a pattern of "chips” 
called chipping codes and then add these redundant data bits to the transmission. At its 
destination the chips are mapped back into bits, recreating the original data. The longer 
the chip, the greater the probability of data recoverability and the more bandwidth 
required. If one or more bits in the chip are damaged during transmission, statistical 
techniques embedded in the receiver can recover the original data. To an unintended 
receiver, DSSS appears as low-power wideband noise and is ignored. The ratio of chips 
to bit is called the "spreading ratio". A high spreading ratio increases the resistance of 
the signal to interference. A low spreading ratio increases the net bandwidth available to 
a user. Overall these spreading ratios are quite small and most 2.4 GHz product 
manufacturers offer a spreading ratio of less than 20. Like FHSS, a DSSS receiver must 
know a transmitters spreading code to decipher data. This spreading code allows 
multiple direction transmitter operation simultaneously without interference. Once the 
receiver has the entire signal, it removes the chips with a correlator and collapses the 
signal to its original length.^ 

1) . Federal Communication Commission Guidelines 

The FCC requires that each signal have ten or more chips limiting 
data throu^put to 2 Mbps in the 902 MHz band and 8 Mbps in the 2.4 GHz band. The 
number of chips is directly related to a signal's immunity to interference meaning some 
throu^put is sacrificed to avoid interference. 

2) . IEEE 802.11 

IEEE 802.11 imposes a standard of precise^ 11 chips for DSSS as 
opposed to the FCC’s requirement of 10 or greater. 

3) . The Market for frequency hopping spread spectrum 


6 Ibid. 
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DSSS products allow more than one channel in the same area. 
The 2.4 GHz band is separated into several sub-bands, each containing an independent 
DSSS network. DSSS truly spreads across the spectrum, so the number of independent 
(i.e. non-overlapping) channels in the 2.4 GHz band is small. The maximum number of 
independent channels for any DSSS implementation is three. 

B. TECHNOLOGY OVERVIEW; WIRELESS TOPOLOGIES 

A "network topology" is a set of workstations that communicate with one another. 
It is the architectural drawing of the physical configuration that represents the network. 
At its most basic, two personal computers (PCs) equipped with wireless adapter cards 
can initiate an independent network when within range of one another. This is called a 
peer-to-peer network (Figure 1) and requires no administration or pre-configuration. 
Each PC would only have access to the resources of the other and not to a central server. 



Figure 1; A Wireless Peer-to-Peer Network'^ 


Installing a hard wired access point (AP) extends the range of a peer-to-peer 
network (Figure 2). The AP provides client access to server resources as well as to other 
clients. Each AP can accommodate many clients dependent upon the amount and nature 
of the transmissions. 


7 Ibid. 
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Figure 2: Client and Access Point* 


Access points have a finite range, so it may be necessary to install multiple APs in 
large facilities (Figure 3). AP positioning is determined by a site surv^. The goal is to 
blanket the coverage area with overlapping cells, so that users can seamlessly roam 
throughout the area without losing network contact. APs invisibly hand the user off from 
one cell to another ensuring unbroken coimectivity. 



Figure 3: Multiple Access Points and 
Roaming^ 


To solve extended range problems. Extension Points (EPs) augment the network 
(Figure 4). EPs function like APs, but are not tethered to the wired network. Th^ 


*Ibid. 
9 Ibid. 
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extend the range of the network by relaying signals from a client to an AP or another EP. 
EPs may be strung together to link an AP to far away clients. 



Figure 4: Extension Point Providing 
Coverage Between APs and Mobile Users 

A directional antenna extends the WLAN range to other buildings. If a WLAN in 
building “A” is to be extended to building “B” one mile away, a directional antenna can 
be installed on each building. Both antennas are connected to WLANs within then- 
buildings enabling wireless LAN connectivity throughout the facility (Figure 5). 



Figure 5; The Use Of Directional Antennas 


Using these examples as building blocks, WLAN topologies can be divided into 
four distinct categories based on the presence or absence of a network infrastructure. 


10 Ibid. 

11 Ibid. 
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1. Ad Hoc 


Ad Hoc networks contain mobile workstations that are wirelessly connected and 
have no wired infrastructure. Th^ consist of two categories: 

a. Ad Hoc without centralized control 

Figure (6) is an Ad Hoc network without centralized control wdiere 
stations send packets directly to each other. Access control is difficult, because 
unauthorized stations can j oin the network with no authentication. Additionally, this 
network is difficult to maintain in large facilities due to range restrictions. 



Figure 6: Ad Hoc Without Centralized 
Control^ 

b. Ad Hoc with centralized control 

In Figure (7), the centralized control station is called the Base Station (BS) 
through which all stations communicate wirelessly. Commimication between mobile 
stations is allowed if restricted access is not imposed by the BS. A problem can arise if 


^ Saraswati Balakrishna, iVe<M'oryt Tq>ologiesIn Wireless LANs, 
(http y/www .cs.umbc.edu/~sbalakl/Ian2.htiiil, December 1995). 
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one station drifts out of range. The BS is designed to recognize such "drift" and relays a 
warning message to each mobile unit. Centralized control provides better security, 
because the BS enforces access control for the mobile units. The level and strength of 
this control is dependent upon the operating ^stem used in the network. 



Centralized Control 


2. Cellular 

Cellular networks contain mobile sub-networks that access, either through vired 
or wireless connections, a base station that is attached to another sub-network (Figure 8). 
A mobile network can only access one BS at a time and the BS advertises which mobile 
stations are associated with it. When users roam, a mobile unit may associate itself with 
another BS creating overlapping BS coverage areas (as in Cell A & Cell B). When this 
happens the two BSs negotiate between themselves and decide which will assume control 
of the mobile unit. 
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Figure 8: Cellular 


3. Non-Cellular 

Non-cellular networks, shown in Figure (9), are similar to cellular ones, because 
mobile stations gain access to a wired network through BSs. Unlike the single BS 
communications in cellular networks, mobile units can simultaneously communicate 
with multiple BSs increasing commimication efficienQr. Direct communication between 
mobile units is not possible, because there is no method for one mobile imit to locate 
another. There is also no way for the system to know which BS is responsible for which 
mobile unit. Most WLAN s use the Cellular topology for access to wired media. 



W Ibid. 
^ Ibid. 
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4. 


Personal Area Networks 


A personal area network (PAN) is used when a small group of computers require 
access to a set of peripherals (Figure 10). Computers are termed the masters and 
peripherals the slaves. Slaves respond to commands from the masters. PANs exist in a 
small geographic area such as an office and are relatively easy to manage. 



Figure 10: Personal Area Networks 


C. TECHNOLOGY OVERVIEW: VENDORS 

The wireless market is crowded with hardware products that enhance WLAN 
capabilities. Several vendors provide complete WLAN networking ^sterns with 
customized services and capabilities. 

1. Air-I/O 

TTv>r 

Telxon Air-I/O (Figure 11) spread spectrum WLANs provide office-based 
commimication coverage with data rates up to 2 Mbps. It is 802.11-compliant and is 
offered in both FHSS and DSSS. Telxon's AirAware^ Wireless Software provides 


Ibid. 
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connectivity and management tools for the Air-I/0 WLAN. AirAware’s management 
tools include AirVision™, AirBeam™, AirGate™ and AirVU™, each of which is 
described below. 



Figure ll;Air-FOi* 


a. A ir Vision 

AirVision helps the user monitor and manage information. Its benefits 
include remote monitoring, analysis, fault identification, and performance management. 
AirVision also provides a wired network administrator’s management tool that monitors 
standard terminal connections to wireless devices. 


TflOioa,AirwareS^tware, (httpy/www.tekon.coin/pandtech/wirelessnet/wireless-soft, 1998). 

Ibid. 

1^ T^oa,Airware S(f Iware, (httpy/www.telxon.coni/pandtech/wirelessnet/wireIess-soft/airvision.a^, 
1998). 
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b. A irBeam 

AirBeam automates the updating and distribution of mobile client 
software. It is a set of client-resident executables and API Libraries functioning as a 
standalone utility on each workstation. AirBeam tracks the application software resident 
in wireless mobile units and automatically manages software updates as th^^ occur. 
These updates occur transparently through RF signals .20 

c. AirGate 

AirGate provides wireless gateway application server software. It uses a 
three-tier client server architecture with a gateway application server placed between the 
wireless client and connected hosts. Client devices communicate with the server which 
communicates with data sources and applications on behalf of the client .21 

d. AirVU 

AirVU provides standard terminal connection to wireless devices. It uses 
TCP/IP for direct session communication on host ^sterns thereby not requiring a 
controller or gateway server. AirVU can also be loaded on handheld devices providing 
services without restricting the devices other uses.22 

2. Jaguar 

Jaguar’s 3.2 Mbps WLAN for Ethernet (Figure 12) uses FHSS and offers: 

• 3.2 Mbps data rate. 

• Equalization that reduces retransmission’s and improves throughput. 

• Compact designs and miniaturized dual internal antenna systems that are fully 
embedded into the WLAN PC Card adapter. 


20 Telxon,y4/rM'are Srftware, (http://www.tekon.com/pandtech/wirelessnet/wireless-soft/airbeam.asp, 

1998). 

21 Tekon,y4/rH'are Stftware, (http//www.tekon.com/pandtech/wirelessnet/wireless-soft/airgate.aq), 1998). 

22 T^oT[,Airwcire S(f tware, (http//www.tekon.com/pandtech/wirelessnet/wireless-soft/airvu.asp, 1998). 
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• PC Card Link Status Indicator that tells the user when the mobile unit is 
within range of an AP and the received data rate performance. 

• Wireless LAN cell hand-offs . 


Jaguar products are “plug and play” operating in the unlicensed 2.4 GHz 
frequency band. It cfynamically selects between two digital modulation techniques, 
QPSK and 16QAM, to deliver the maximum data rate possible. In QPSK mode. Jaguar 
delivers a raw data rate of 1.6 Mbps and user data throughput of 1.1 Mbps. In 16QAM 
mode, it delivers a raw data rate of 3.2 Mbps and a maximmn user data throughput of 2.2 
Mbps.23 



Figure 12: Jaguar’s 3.2 Mbps Wireless LAN^^ 


Jaguar is hub-based using a WLAN AP that provides the interface to a wired 
Ethernet. This AP can also serve as a field BS allowing virtual "networking" without a 
hard wired connection to the Ethernet. It provides a maximum open air coverage area of 
1,500 meters. The maximum coverage area for a cell is determined by the type of 
obstructions the radio signals pass through, the noise environment, and height above 
groxmd. These APs can also use one of 78 different hopping patterns providing 


23 Jaguar,£cApa7»e/ire Wireless LAN, JAGUAR: 3.2 Mbps Wireless LAN for Ethernet, 
(httpy/www.agerd.ro/produse/wirdessjaguar_topo.htnil, September 1998). 

2“^ Ibid. 
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maximum flexibility for network expansion. Each WLAN cell supports up to 62 users 
with load-balancing capabilities that automatically distribute these users among various 
overlapping cells. Jaguar can support up to 15 overlapping cells before data rate 
performance degrades. If cells do not overlap, network extension is indefinite (Figure 
13). 



Figure 13: Jaguar Access Point Configuration^^ 


3. WaveLyNX BR132^** 

WaveLyNX BR132 is an Ethernet WLAN bridge ^stem that supports a point-to- 
point topology. It establishes dedicated connections between two LANs. BR132 
supports 3.2 Mbps up to six miles and a 2.4 Mbps user throughput to a maximiun single¬ 
hop range of 20 miles. In noi^ environments, it automatically falls back to 1.6 Mbps 
and links over 20 miles are supportable using a repeater. BR132 uses WaveAccess’ 
Adaptive Equalization (ADEQ)™ technology as well as Quadrature Phase Shift Keying 
(QPSK) and 16 quadrature amplitude modulation (QAM) modulation, rather than simple 
frequen<y shift keying (FSK). ADEQ allows more effective operation in noi:^ multipath 
environments. BR 132s are deployed in pairs and are pre-configured as master and slave 
with factory default hopping pattern settings for “out-of-the-box” operation. Each 


Ibid. 
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BR132 also comes with a pair of standard 2 dBi gain antennas which are used for simple 
communication links between LANs. Actual link speeds are determined by the distance 
covered, antenna type, cable type, and cable length (Figure 14).26 


3.2 Mbps - 6 miles 
■—^^^—» 
1.6 Mbps - ^ miles 



Figure 14: WaveLyNX BR 13227 

4. NetWeaver 

NetWeaver is a high-performance, digital, point-to-multipoint data 
communication tystem that provides high-speed wireless networking. It operates at 2.4 
GHz FHSS offering full-duplex operation within each channel scaleable to 3.2 Mbps. It 
has a variable range to a maximum of 10 miles (Figure 15).28 


26 WavdLyNX,£cApa7wente Wireless LAN: WaveLyNX BR 132 Network Tqjology, 
(httpy/www.agerd.ro/produse/wirdess/lynx_topo.htinl, September 1998). 

27 Ibid. 

28 VI!NdJ^'NX,NetWeaver:Metrq>olilanMultpomtInternetworking ^sterns, 
(httpy/www.agerdjo/produse/wireless^netweaver_i^ecJitml, September 1998). 
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Figure 15:NetWeaver29 


NetWeaver is based on a hub and spoke topology. It uses Central Unit (CU) 
modems that each support a single 3.2 Mbps or 1.6 Mbps channel with links supporting 
up to 62 wireless remote site radio modems. CUs access the Internet via a wired or 
wireless backbone and offer two digital wireless modem models: 

• SDR 132 Single Drop Remote that supports a single desktop compirter via a 
lOBase-T port through the computer's Ethernet card, or a LAN connection via 
a router. 

• MDR132 Multi Drop Remote that supports full 802.3 bridging. 

NetWeaver remote wireless modems use full-duplex outdoor directional 

antennas. As network bandwidth requirements increase, additional CU channels can be 
added: up to 10 channels per base station. CU modules also support both omni¬ 
directional and directional antenna arrays, ensuring that multiple BSs can be arranged for 
nearly unlimited scalability (Figure 16). 


29 Ibid. 
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NetWea¥er Network 

Multi-CD' TopoIogy^ 


Centra! Unit 1 __^ [[X;—^^Sstitral Unltl^ 




Figure 16;NetWeaverCUTopology3<^ 


NetWeaver cells can be augmented or interconnected by WaveLyNX and 
NetWeavers MDR132 digital modems can interface with the 3.2 Mbps WaveAccess 
Jaguar WLAN. This allows for reliable indoor roaming. 


30 Ibid. 
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m. SECURITY CONCERNS FOR WIRELESS 


Security for all network types is important. Disgruntled former employees, 
Internet hackers, and industrial spies are all possible network attackers. How they might 
use WLANs is discussed in this chapter. 

A. GENERAL SECURITY LEVELS 

Security levels in wireless communication channels, grouped from most secure to 
least secure, are defined as: 

• Secure Military Systems (JTIDS, MILSTAR, GPS): Wireless military 
communication ^sterns are used for electronic warfare (EW), electronic 
countermeasures (ECM), and electronic counter-counter measures (ECCM). 
Some military ^sterns can counteract jamming (denial of access), spoofing, 
and detection using antij am, anti-spoofing, and low-probability-of-intercept 
methods. 

• Secure Public Systems : Secure public ^sterns provide authentication and data 
encryption, but other general security issues are not addressed. 

• Unsecured Public Systems (POTS, AMPS, Two-Way FM, Broadcast): Plain 
old telephone service (POTS), broadcast, and cellular phones are imsecured. 
Advanced mobile phone service (AMPS-Cellular) is protected by regulations 
against eavesdropping, but this is imenforceable.^ ^ 

1. Secure Military Systems 

Modem military forces depend on sophisticated radio communication and 
navigation ^sterns. An enemy can employ ECM to detect these radio signals and either 
dismpt or exploit them. Dismption is accomplished by jamming and exploitation by 
using transmissions for their intelligence value. Prior to development of transmission 
security, it was possible to gather intelligence from signals by demodulating and 
decoding them. For some i^stems it is also possible to "spoof or provide false 


SteveF. Russell, Channel Security Tutorial 

(http://www.eejastate.edu/~wireless/security/w_tut_lJitml, Iowa StateUniver^, February 1997). 
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infonnation (counter-intelligence). A diagram of these ECM techniques is shown in 
Figure (17). 



Figure 17; Electronic Warfare Overview for Military Systems^^ 


Alternate terminologies that describe ECCM concepts include Low Probability of 
Detection (LPD), Low Probability of Exploitation (LPE), and Low Probability of 
Intercept (LPI). LPD prevents the enemy from detecting a radio transmission and 
minimizes power spectral density and detectability. LPE prevents the exploitation of 
signals by decoding, spoofing, or position monitoring. It denies the enemy knowledge of 
the :^stem, its modulation characteristics, its use, and its users. LPI encompasses both 
LPD and LPE and is a generic term from which the term “anti-intercept” is derived. 

2. Secure Public Systems 

The typical public WLAN ^stem is shown in Figure (18). The public network 
(Internet) and the private network (imiversity) are usually not secure. The private 
network (industry), the wireless service provider, and a private LAN are usually secure. 
Figure (18) also illustrates security firewalls for secure private networks. 


Ibid. 
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Wireless channels are protected only by data enciyption, authentication, and 
limited protection to elementaiy attempts at jamming, spoofing, and interception. 
Channel security characteristics for secure public communication ^sterns are grouped 
into categories shown in Table (1). It shows the ECM and ECCM techniques used to 
combat malicious attacks; 


Elements of Secure Public Communications 

ECM 

UTILIZATION 

ECCM 

Detection 

Determine Presence and Activity ofRF Signal 

Anti-Intercept 

Location 

Monitor and Track Position of RF Signal 

Anti-Intercept 

Denial of Service 

Disrupt or Deny Use to Unauthorized Users 

Anti-Jam 

Ccxinterfdting 

Theft of Services by Unauthorized Users 

Encrypted Authentication 

Decoding 

Obtain Information from Attacker 

Data Encryption 

spoofing 

Supply Deceptive Information to Attacker 

spoofing Security 


Table 1; Elements of Secure Public Communications^"* 


33 Ibid. 

34 Ibid. 
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Detection determines activity and patterns of use and is the first step in employing 
additional ECM techniques. Location locates and tracks wireless transmitters within the 
network. Some programs locate a cell phone user down to the cell site and antenna 
sector level. Denial of Service is used in the public ^stem to disrupt or deny use to 
unauthorized users. Coimterfeiting results in illegal or unauthorized access to services. 
Decoding digital voice and data is the least important, because data enciyption methods 
are well advanced and can mitigate this threat. Spoofing security is a developing area of 
ECCM research and supplies deceptive information to an attacker. One example utility 
is the Deception Toolkit from Fred Cohen and Associates.^^ 

B. LOGICAL ACCESS 

Anyone gaining access to a typical commercial-off-the-shelf (COTS) wired LAN 
can potentially damage the network or compromise the integrity of its information. 
Without proper security measures, even airthorized users might gain unauthorized access 
restricted information. In WLANs, wireless channels are shared by multiple users 
creating the need for a media access control (MAC) protocol to coordinate access. In the 
open ^stem interconnection (OSI) model of communications (Appendix A) the MAC 
function is a sublayer of the Data Link Layer. Each transmitted packet contains a source 
and destination address. Packets with recogniz;ed destination addresses stay on the LAN 
while unrecognized packets are presumed destined for another network and are 
forwarded. LAN/WLAN MAC protocols include random access protocols (ALOHA or 
Carrier Sense Multiple Detect [CSMA]), reservation techniques (a protocol similar to 
RTS/CTS |Request-To-Send/Clear-To-Send]), or a combination of the two (Time 
Division Multiple Access pDMA]). 

C. ATTACKS: LAN VERSUS WLAN 

WLANs possess the same security problems as wired LANs, but new security 
concerns emerge when using radio communications. Data transfers can be compromised 
by sniffers, radio frequency “grabbers”, and stray emissions. Intentional or unintentional 
jamming, spoofing, and eavesdropping can degrade WLAN security. New questions 
emerge: can WLANs exist side-by-side without interference? Do they interfere with 

Fred Cohen and Associates, The Decq) tion Toolkit (http ^/www .all Jiet). 
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other nearby radio frequencies? How are nearby cell phone communications affected? 
How do cell phones affect WLAN communications? Many of these threats to 
communications security can be mitigated by cryptographic ^sterns that encode data, 
thus providing secrecy and sender authentication, and by firewalls that stop electronic 
intrusion. 

Common LAN attacks can be grouped into four categories: 

1) Interruption: This attack makes LAN resources unavailable by interrupting 
service. It can be employed by excessively pinging the network from an 
outside Internet address or by physically cutting system cables. 

2) Interception: This attack captures data about sender and receiver identities. 
An example is data that can be used to exploit personal information about the 
user or to use their address for gaining access to the network. 

3) Modification: This attack modifies captured data and sends it to imsuspecting 
users to trick them into performing actions that are beneficial to the attacker. 

4) Fabrication: This attack falsifies an attackers identity to lure authorized users 
into providing information useful to the attacker. 

Of greater concern to the wireless system are RF attacks between APs rather than 
data manipulation of the actual packet. These attacks are derived from traditional 
categories listed above and are broken down into more detailed wireless classifications: 

• Eavesdropping 

• Transitive Trust 

• Infrastructure 

• Denial of Service 

1. Eavesdropping 

Eavesdropping occurs when an attacker uijustly receives transmissions intended 
for someone else. Any receiver within range, outside or inside of the building, can 
eavesdrop on a message. The equipment required to eavesdrop is reasonably priced and 
authorized users cannot detect that the transmission has been compromised. Transceiver 
power and frequen(ty band affect the range where the transmission can be heard. When a 
transceiver operating at greater than or equal to 2 MHz powers up, traffic can be 
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eavesdropped Ifrom outside of the building unless special electromagnetic shielding is 
used.^^ 


2. Transitive Trust 

Paths of communication that require trust between nodes within the same network 
can be the target of a transitive trust attack. Specifically, if node “A” trusts “B” and B 
trusts “C”, then A trusts C. Often, A does not know that it trusts C. These relationships 
can be bi-directional, so the security of a path is equal to the security of the weakest 
node.^^ A WLAN AP is the gateway for a transitive trust attack. Once the WLAN is 
fooled into trusting an attacker’s computer, the attacker gains access to all ;^stems 
behind the network firewalls. Wired networks physically constrain signals between 
nodes, but there is no way to physically track wireless signal identity during transmission. 
The only current protection is standard IP addressing or a trusted authentication 
mechanism between mobile assets.^* 

3. Infrastructure 

Infi’astructure attacks are launched against internal system weaknesses including 
software bugs, configuration mistakes, and hardware failures. These occur in WLANs, 
but attack protection is almost impossfljle. A bug is not discovered until something bad 
happens, so the only recourse is to minimize damage. 

4. Physical Denial of Service 

WLANs are vulnerable to physical denial of service attacks. A powerful 
attacking transmitter can generate interference fi'om outside of the site rendering the 
WLAN useless. The only complete protection is to use the WLAN within a Faraday cage 

Sami Uskela, in WirelessLocalAreaNetworks^^^ JlwwviXomhiX&IO^vanoXJTk.- 

110.50 l/1997/wireless_lan.htnil#IntegrityandConfidentiality, Department of Electrical and Communications 
En^neering, Helanki Univeraty of Technology, December 199'^. 

Standard Department D^ense Trusted Computer System Evaluation Criteria, 
(http//www.radium.ncscmil/tpep/library/rainbow/5200.28-STD Jitml#HDR6.3, DOD 5200.28-STD, 
December 1985). 

38 Ibid., p. 6. 
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(a conducting cage that shields electronic equipment). Authorities can locate the 
offending transmitter for as long as the attack continues. 

D. ANALYSIS OF TOOLS WITHIN THE WIRELESS CONTEXT 

The above active attacks show possible weaknesses of wireless networks. There 
are many tools that exploit these vulnerabilities and most are free on the Internet. 
Intrusion detection tools are also available, but require diligence in their implementation. 
Hacker and intrusion detection tools are discussed here. It is important to understand 
how they work, so that less vulnerable wireless networks can be designed. This overview 
of tools will further help the reader understand the security analysis described in the case 

StU(fy. 


1. Hacker Tools in WLANs 

Malicious hacker tools evolve as network loopholes are discovered. Their 
proliferation within the wired LAN environment is testimony to their impending use 
within WLANs. They may all be used to attack WLANs and the attacker can easily hide 
by logging on remotely. Some of the better known and therefore more frequently used 
tools of the network hacker are described below. 

0 . Satan 

The “Satan” (Security Administrator Tool for Analyzing Networks) LAN 
administrative tool is powerful and ea^ to use, but can also intrude on and degrade 
network security. It reports security weaknesses in networks by intruding the same way 
an attacker would; from a host that is not part of the LAN. An administrator can discover 
many security holes and repair them. Satan can make ^sterns more secure, but a site's 
administrators must use and act on its results before an attacker does. A skilled 
programmer can modify it making it intrusive, as the product is distributed with complete 
source code. It is also user friendly. Its graphical user interface (GUI) is so easy to use 
that less experienced hackers can operate it.^^ 


Clinton Wilder and Jason Levitt, Cure Or Curse?, (http •y/wwwjwedk;.com/521/2 lnttsat.htm, April 1995). 
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b, Back Office 

Back Orifice (BO) is a Windows 95 administration ^stem that allows 
users to control network machines remotely. From a remote LAN or the Internet, BO 
users have more control of a network machine than the person at the keyboard of that 
machine. After self installation is complete the executables are placed into the ^stem 
where it avoids interference with other applications. After system power up, BO does not 
display on the task or close-program list and reruns every time the computer is started. 

Back Orifice’s capabilities are numerous. Network resources and lists of 
incoming and outgoing coimections can be viewed. Network connections can be created 
and deleted. Exported resources and their passwords can be listed, created, and deleted. 
TCP ports can be redirected and files uploaded and downloaded on any port using a web 
browser. Files and directories can be copied, renamed, deleted, viewed, and searched. It 
also lists, creates, deletes, and sets kQ^s and values in the registry.^® 

c, Internet Protocol Sp o<f ing 

Internet Protocol (IP) spoofing hides a true IP address on Ethernet 
networks while making it appear to have an entirely different address. Blind spoofing is 
available on all other networks meaning an attacker cannot see which remote host is 
responding. During blind spoofing the remote host responds to the fake address. The 
attacker, therefore, never sees this response.'* * 

d, LOpht Crack 

LOpht Crack is a Windows 95/NT password cracker and auditing tool 
created by LOpht Heavy Industries. Mg. V. Glenn Schoonover, Chief, Network Security, 
Single Agency, Manager for Pentagon IT Services stated, ‘No kidding, this is one bad 
tool. We ran this against a base of 5,000 users and it cracked passwords that had 
previously been xmcrackable.” 

Jim Williams, Hacker Tools, (http //netsecurity miningco.com/msub 19.htm, December 1998). 

‘**Ibid. 

Ibid. 
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LOphtCrack 2.0 is shareware and was originally envisioned as an 
experimental research tool. The trial period is 15 days after which the product must be 
registered for $50. A stripped down version with source code is available for fi'ee. 

e. NT Recover/Locksmith 

NT Recover/Locksmith accesses WinNT computers through a serial 
connection. It can change the administrators password when the original password has 
been lost. NT Recover/Locksmith has a 100% success rate and gains entry within 
minutes.^3 


/. Snadbcy S Revelation 

Snadboy’s Revelation uncovers passwords that Windows 95/98 have 
hidden behind asterisks. Users can also reclaim previously deleted passwords. 
Snadboy’s Revelation is freeware, but the source code is available for $ 150.00 

g. Password Hacker 

Password Hacker is similar to Snadboy’s Revelation by revealing 
passwords normally hidden behind asterisks.^^ 

h. Portscan 

Portscan allows scarming for open ports on a host in a specified port 
range. For example, if the host "microsoft.com" and then the port range from 50 to 150 
are entered, the user may get port 80 in an output text box. This diows that a Web server 
is running on that host.^^ 


43 Ibid. 

44 Ibid. 

45 Ibid. 

46 Ibid. 
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I Snffit 

Sniffet is a packet sniffer used on UNIX, Linux, FreeBSD, and Irix 
systems. It listens to all TCP/IP traffic on a subnet, intercepts outgoing and incoming 
requests for Web documents, and decodes authentication passwords. Its scripts wrap 
around the UNIX tcpdump network debugging utility which comes pre-installed in 
UNIX. These scripts will not work on Windows or Macintosh ^sterns, because tcpdump 
is not available on these platforms.^^ 

2. Intrusion detection tools 

Intrusion detection is currently being used as a panacea - a poor substitute for well 
engineered solutions. Previously described attacks cannot be countered without 
knowledge that the attack is occurring. Below the most common intrusion detection 
tools and their capabilities are described. 

a. Intruder A lert Version 3.0 

Intruder Alert Version 3.0 “...monitors and responds to information 
^stem threats in real-time across distributed computing platforms.” ^8 it automatically 
detects attacks, unauthorized activity, and network abuse Ifrom both internal and external 
sources. Intruder Alert uses a centralized audit information collection and audit 
reduction capabilities. Intruder Alert runs in the Windows NT background and detects 
real-time ^stem events by monitoring audit logs. It then sends a warning email to the 
administrator and establishes secure commimications with the Manager component using 
a 400 bit Diffie-Helman key. Once authenticated, an algorithm enciypts the Agent’s 
communications. 


Ibid. 

48 Steven R.Balmer and Rett SiMey, Intrusion Detection Technology Experiences with Axent Intruder 
Alert, (Naval Postgraduate School, August 1998). 
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b. 


ISS REALSECVRE Version 2.5 


ISS REALSECURE is a host based network traffic analyzer with a unique 
attack recognition engine. It’s components include a console and multiple engines. The 
console gathers information from engines that are running throu^out the network. 
These engines leave no evidence that they are active.'^^ 

c. Kane Security Monitor 3.13 

Kane Security Monitor watches the network and provides an alarm for 
intended intrusion, obvious violations, and irregularities in user behavior. It also 
analyzes security event logs on servers and workstations. Kane’s agent service collects 
data based on matched security patterns from event logs and passes it to an auditor 
service. From his console, an administrator can easily install an agent on any NT server 
or workstation.^® 

d. Session Wall-3 

Session Wall is a sniffer that detects network abuses. It can generate a 
complete picture that sees the network one packet at a time. It only monitors the segment 
to which it is attached and monitoring of multiple segments requires installation of 
multiple network cards. It is best placed on either side of the firewall or network point of 
entry to the Internet t 


Lany Brachfeld, Jimmy Francis, Dan Morris, and Scott Robin, Evaluation (f RealSecure, (Naval 
Postgraduate School, CS3670,Novanber 1998). 

^®Enno Busch, Murat Akb^, and GeoTge¥loros, Intrusion Detection ^stem (IDI^ Prgect IRqtort, 
(Naval Postgraduate School, CS3670). 

^ ^ Dave Hensley, Katrina Henri^', and Les Prior, Intrusion Detection System Evaluation, Sessin Wall-3 ly 
AbirNetInc. (NavalPostgraduate School, CS3670, November 1998). 
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E. SECURITY STANDARDS 


HEPERLAN and IEEE 802.11 are two WLAN standards that present features to 
address security vulnerabilities. Many wireless products have no security functions and 
even IEEE 802.11 labels such functions as optional. ^2 

1. HIPERLAN 

The High Performance European Radio Local Area Network (HIPERLAN) 
standard is the wireless broadband access standard created by the European 
Telecommunications Standards Institute (ETSI). This standard defines part of the OSI 
models physical and data link layer (DLL). The HIPERLAN physical layer operates in 
two frequency bands; 5.15 to 5.25 GHz and 17.1 to 17.3 GHz. Equipment transmitting in 
the first band may operate a IW transmitter and the second band with a 100 mW 
transmitter. A 25 Mbps bit rate at the 5 GHz physical layer can operate on five different 
channels and can grant users equal access to the q)ectrum. This supports a wide range of 
applications. HIPERLAN equipment caimot legally use the two upper channels of the 5 
GHz band in some countries. 

The MAC HIPERLAN sub-layer is a decentralized sub-system allowing ad-hoc 
applications. This sub-layer provides equipment interoperability and ensures a level of 
security against casual eavesdropping. Connectivity within a single HIPERLAN is 
accomplished at the MAC level by special nodes called “forwarders”. When a signal’s 
intended receiver is out of range, forwarders act as extensions that relay packets on to 
their final destinations. 

HIPERLANs specifications European Telecommunications Standard (ETS) draft 
was approved by ETSI in February 1995 with the following properties; 

1) It may be used in pre-arranged or ad-hoc fashion. 

2) It supports node mobility. 

3) It may have a coverage beyond the radio range limitation of a single node. 

4) It supports both asynchronous (no timing requirement for transmission and the 
start of each character is individually signaled by the transmitting device) and 
time-bounded communication using a Chaimel Access Mechanism. 


52 Ibid. 
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5) Its nodes may conserve communication power by arranging active reception 

tirnes.^^ 


a. Encryption-Decryption 

mPERLAN defines an optional encryption-decryption scheme. It uses a 
set of shared k^s, referred as the HIPERLAN key-set. Each k^ has an unique identifier 
and plain text is ciphered by an XOR operation with a confidential algorithmic pseudo¬ 
random sequence. (Figure (19)). 



Figure 19: HIPERLAN Encryption-Decryption Scheme^ 


h. Protection 

Wired Equivalent Privacy (WEP) protection levels carmot be evaluated 
here, because they are proprietary. The HIPERLAN standard does not define any 
authentication, so WEP security should not be trusted in sensitive applications. 

2. IEEE 802.11 

IEEE 802.11 is the WLAN standard developed by the Institute of Electrical and 
Electronics Engineers (IEEE). It resolves compatibility issues between manufacturers of 


Ibid. 

5^ Opinnot, HIPERLAN encryp tim-deayp lion scheme, http Jlwwv/ .tcm.hut .fi/Opiimot/Hk- 
110.50 l/1997/images1iiperlan.gif, 1997. 
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WLAN equipment and products supporting it are alrea(fy on the market, IEEE 802.11 
defines the physical layers and the MAC sublayers for wireless. All physical layers offer 
a 2 Mbps data rate at the 2.4-2.4835 GHz band. The MAC layer has the following 
features: 

1) Supports Isochronous (imiform in time; having equal duration) as well as 
A^nchronous data. 

2) Supports priority. 

3) Association/disassociation to an AP in a Basic Service Set (BSS) (a set of 
stations communicating wirelessly on the same channel in the same area) or 
Extended Service Set (ESS) (a set of BSSs and wired LANs with AP’s that 
appear as a single logical BSS). 

4) Re-association with or Mobility Management to transfer association between 
APs. 

5) Power Management to save battery time. 

6) Authentication to establish terminal identity. 

7) Acknowledgment to ensure reliable transmission. 

8) Timing synchronization to coordinate terminals. 

9) Sequencing with duplication detection and recovery. 

10) Fragmentation re-assembly. 

a. A uthentication 

IEEE 802.11 defines two authentication schemes: Open l^stem and 
Shared Key Authentication. The former is a null authentication, because all mobile imits 
are accepted to the network. For the latter, a mobile unit requests authentication and the 
base sends an encrypted 128 octet (1024 bits) random number to it using a shared key. 
The unit decrypts the number using the same key and responds. If the base receives the 
correct number, the mobile is accepted into the network. All accepted mobiles use the 
same shared key. Mobiles carmot be distinguished between each other and there is no 
way to authenticate the network by the mobile. 

b. Wired Equivalent Privacy 

IEEE 802.11 defines an optional Wired Equivalent Privacy (WEP) 
mechanism to ensure confidentiality and integrity of network traffic. WEP is used at the 
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station-to-station level and uses the RC4 PRNG (parallel random number generator) 
algorithm. It uses a 40 bit secret and a 24 bit initialization vector (TV) send with the 
data. WEP also includes an integrity check vector (ICV), so the receiver is always able 
to decrypt the cipher text block. This is illustrated in Figure (20). 
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Figure 20: WEP Mechanism^^ 


c Parallel Random Number Generator Algorithm 

The PRNG algorithm is proprietary, but has been studied in independent 
research laboratories rmder nondisclosure agreements. No weaknesses have been 
reported. However, the secret key can be revealed by using brute-force attack in two 
seconds with tested $ 100,000 hardware and 0.2 seconds with tested $ 1,000,000 hardware 
according to 1995 Figures.^^ 

F. CONCLUSION 

Diligent security management is important to both wired and wireless LANs. 
WLANs can take advantage of available wired LAN security measures and add additional 
features not available in the wired world. Authentication mechanisms may be used over 
IP to perform end-to-end authentication, but this presents a potential launch pad for an 

Opiimot, WEP mechanism, (http//www.tcm.hut.fi/Opmnot/Tik-l 10.50 l/1997/images^ieee2.gif, 1997). 
Ibid., p. 6. 
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attacker. The hardware or software based mechanism becomes the only security layer 
between the network and the attacker. The nature of radio communication makes it 
practically impossible to prevent some attacks, such as physical denial of service and 
eavesdropping, but if security is considered while they are being designed, then WLANs 
can be more secure. 
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IV. ANALYSIS AND EVALUATION 


Network designers and administrators face many technology and hardware 
options. Available technologies, topologies, and vendors are analyzed using Kiviat 
diagrams.^^ These diagrams graphically display analyzed attributes by giving a logical 
“picture” of the final evaluation. A Kiviat diagram consists of axes originating fi-om a 
central point in a circular diagram. Each axis represents criteria pertinent to the analyzed 
category with measured gradients fi-om one to five. Each axis and it’s measurement are 
defined prior to the subj ect category, summarized in a table, and then shown on the 
Kiviat graph. A perfect evaluation yields a drawing similar to Figure (21). Each sulg ect 
area may differ in its number of axes, but the number of axes and evaluation criteria are 
the same within each category. As will be explained in subsequent sections, these 
categories are considered to be of equal importance. Therefore, th^ are also equally 
weighted on the Kiviat scales to provide a balanced analysis. The evaluation scope 
begins with available transmission technologies, narrows to popular topologies, and then 
to vendor products. 


9iawnD. James, Thinking Strategical^ about itf ormatim-Based Coiflict:Develq>inganAnafytical 
Approach to Operational Measures (f ^ectiveness, (Naval Postgraduate School, Theas, Septemba- 1996), 
P. 141. 
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Figure 21: Shaded Kiviat Diagram^* 


A. TRANSMISSION TECHNOLOGIES 

Narrowband Microwave, Infrared, and Spread Spectrum were explained earlier, 
but further analysis of spread spectrum capabilities is provided here. Spread spectrum 
signals are hard to exploit or spoof, making them attractive for military use. Signal 
exploitation occurs when a non-network member listens to the network and uses acquired 
information for their own advantage. Spoofing is maliciously introducing unauthorized 
traffic into a network under a false address. Advantages of FHSS over DSSS are 
discussed below.^9 

•Throughput: Point-to-point throughput is variable between both DSSS and 
FHSS products. Protocols for DSSS throughput sacrifice mobility and roaming 
performance, but FHSS provides greater power, signal efficiency, mobility, and immunity 
from multipath interference. 


58 Ibid. 

5^ Proxim White Paper, <7 Wireless LAN Technology, 

http 'Jlwww .proxim .com/leam/whrteppr/select .shtml. 
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•Interception: DSSS data is easier to intercept than FHSS data. Constant hopping 
of FHSS signals make it less susceptft>le to interference and interception. DSSS, on the 
other hand, uses simple spreading codes that allow mapping of transmissions back into 
original data. Once an attacker is on the DSSS frequency, he need only transform the 
signal back to its original form by using an appropriate algorithm. Both DSSS and FHSS 
can be supplemented with specialized encryption devices, but this increases cost, weight 
and power consumption of the mobile unit. 

•Power: FHSS radios use less power than DSSS and have a practical limit of 2 
Mbps. Direct Sequences radios rate of 8 Mbps is only necessary if high performance is 
key, but is more sensitive to interference. 

•Efficiency: FHSS can provide up to four times more network capacity than 
DSSS. In the 2.4 GHz band, the maximum number of non-overlapping 2 Mbps DSSS 
channels is three (for a total capacity of 6 Mbps). 

•Mobility: FHSS products provide better mobility, are smaller, lighter, and 
consume less power. Unlike DSSS, FHSS incorporates roaming without sacrificing 
throughput and scalability. 

•Overlapping: This is a form of non-malicious interference caused by stray 
external radio emissions overlapping the network signals. DSSS networks are 
susceptible to overlapping, but FHSS networks can simply "hop around". FHSS products 
spend only milliseconds at each frequenty. DSSS is not frequenty agile. Products using 
DSSS are set at stationary, preselected frequencies and caimot avoid this interference. 

•Immunity from Multipath Interference: Multipath interference is caused when 
signals bounce off of walls, doors, or other 0 I 3 ects so that signals arrive at the destination 
at different times. This problem is automatically avoided by FHSS. FHSS simply hops 
to a different frequency that is not attenuated. DSSS is not capable of overcoming this 
effect. 

1. Transmission Technology Evaluation 

All transmission technologies are evaluated using the following equally weighted 
axis criteria and displtyed in Table (2): 

•Resilience against active attacks - 

•Ease of hardware installation 

•Resilience against interference/blockage 
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•Transmission speed 
•Range between nodes 
•Signal security 




Axis 


Resilience against active 
attacks. 


Ease of hardware, 
installation 


Resilience against 
interference/blockage. 


Transmission speed. 


Range between nodes. 


Signal security. 




Table 2 


Ratio 


Meanin 


Possesses very little protection. 


Possesses some protection. 


Possesses moderate protection. 


Possesses good protection. 


Possesses complete protection. 


Very difficult; contractor installation is required. 


Difficult; experienced personnel can accompli^. 


Moderately difficult; some experience required. 


r. experience helpful, but not required._ 


rience required. 


Interference cannot be avoided. 


Difficult to avoid interference. 


Interference avoidable with some installed 
precautions. 


Some interference problems, but are avoidable. 


Has no int^erence problems. 


Very dow. 


Slow. 


Moderately fast. 


Fast. 


Extremely fast. 


Very poor; must be within a few feet of the AP. 


Poor; must be within same room._ 


Average; AP’s can be in adj acent rooms. 


Good; must be within same buildin 


Very good; no range limitations when using 
directional anteimas between buildings. 


Unsecured; encryption/deciyption does not prevent 
security intrusion. 


Poor; encryption/deciyption may prevent security 
intrusion. 


Average; encryption/deciyption prevents security 
intrusion. 


Secure; signal is difficult to break, but 
encryption/decryption is advised. 


Completely Secure; enctyption/deciyption is not 
required. 


Transmission Technology Axis Criteria 
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Each Technology is evaluated in Table (3) and results graphically displayed in 
Figures 22 and 23. 


Axis Ratin 


3 



Meanin 


Is susceptible to eavesdropping and denial of service. 


Professional installation necessary for FCC compliance. 


Interference avoidable with FCC licensin 


Is a high speed radio frequency transmission. _ 


Is designed for use between buildings. 


Encrypted signal is mixed with the carrier frequen 


Attacks must be initiated within the same room. 


Ad hoc configurations are installed using COTS products. 


Blockage is unavoidable. 


yfast: 50 Mbps. _ 


Range is limited to three feet. _ 


ed 


Is susceptible to physical denial of service. 


Requires basic installation skills. Algorithms and FCC 
requirements are pre-programmed. 


Can hop around interference. _ 


Uses radio frequencies at 2 Mbps. 


Must be within same building; range depends upon 
transmitter power. 


Hopping algorithms can be kept secret. 


Susceptible to all forms of attack, but its code is easier to 
break than FHSS algorithms. 


Requires basic installation skills. Bit codes and FCC 
requirements are pre-installed. 


Operates on pre-set frequency; susceptible to nialicious 
transmitters. _ 


Maximum 8 Mbps if using expensive “top-of-the-line” 
equipment. _ 


Must be within same building; range depends upon 
transmitter power. _ 


Bit codes can be kept secret, supplementary encryption is 
advised. _ 


Table 3 ; Transmission Technology Evaluation 
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Figure 22: Technology Evaluation 



Figure 23: Best Technology 
(FHSS) 


2. Best Technology Analysis 

Both spread spectnun methods cany large volumes of data, but FHSS is superior. 
It is scale^le, mobile, secure, can accommodate overlapping networks, and is resistant 
to intaference. FHSS is the best technology for 2.4 OIz wireless networks. 
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B. TOPOLOGIES 


Multiple topologies have been discussed and are all acceptable networking 
architectures. Deciding which to use is dependent upon how the topology will be used. 
Evaluating each topology under generic conditions will determine the best model. 

1. Topology Evaluation 

Wireless topologies are evaluated using the same axis criteria as defined for 
transmission technologies with the exception of axis “d”. Criteria for transmission 
technologies axes “a” through “c” and “e” throu^ “f ’ are directly related to wireless 
topologies \^diile axis “d” criteria is not. Centrally shared resources are evaluated on this 
axis as defined in Table (4): 


Axis 

Rating 

Meaning 

8 

ill 

Use of Centrally Shared 
Resources 

1 

No access to centrally Glared resources. 

2 

Access to non-centrally shared resources. 

3 

Access to shared resources, but not continuous. 

4 

Access to shared resources, but not interactive. 

5 

Continuous, interactive access to centrally shared 
resources. 


Table 4; Axis “d” Criteria For Topology Evaluation 


Each topology is evaluated in Table (5) and results graphically displayed in 
Figures 24 and 25. 
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Ratin 


1 






Meanin 


Possesses no MAC controls; susceptible to active attacks. 


Anv compxrter can be added to the network. 


Has no wired protections within the network. 


Has no access to centrally stored resources. 


Is susceptible to physical blockage (walls 


Possesses no network firewall nor secure backbone. 


Possesses no MAC controls; susceptible to active attacks. 


Anv computer can be added to the network. 


Has no wired protections within the network. 


Has access to one BS. 


Is range restrictive, but the B S reco 


Possesses no network firewall nor secure backbone. 


Security; protective measures built into wired segments. 


Access to the wired BS requires configuration. 


Mobile unit can be handed off to another cell if blocked.. 


Access to one BS at a time; simultaneous^ access to 
multiple mobile units. 


Communication with remote B S via wired segments. 


Encryption/deayption required on wired segmaits. 


Protective measures built into wired segments. 


Access to the wired BS requires configuration. 


Interference/blockage is easy at the wireless segments. 


Simultaneous access to multiple BSs, but does not know 
^Miich mobile stations are associated with these BSs. 


Communication with remote BSs via wired segments, but 
drift may occur. '_ 


Encryption/decryption required on wired segments. 


Attack must be initiated within the same room. 


Configuration needed between mobile units and peripherals. 


Blockage is unavoidable. 


Has access to non-centrally riiared peripherals. 


Range is limited to three feet using inexpensive equipment. 


Doesn’t have a protected wire backbone. 


Table 5: Topology Evaluation 
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Figure 24: Topology Evaluation 
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2. Best Topology Anafysis 

Cellular topologies are the best for general usage. It’s coverage area is adequate 
for both small and large LANs and network resources are shared. 

C. VENDOR TOPOLOGIES 

Commercial products are diverse. Some are specifically designed for small 
offices while others provide signal transmission from building-to45uildmg. Each is 
evaluated using methods simdar to those used to anafyze technologies and architectural 
topologies. 


1. Vendor Topology Evaluation 

Evaluation is limited to vendors that use FHSS with Cellular-based topologies 
thus eliminating products not suitable for DoD. Axis criteria for “b” and “d” are 
identical to those used for the technology analysis. Criteria for remaining axes are 
defined in Table (6). 


51 




Axis 

Rating 

Meaning 

; 

Compliance with IEEE 

1 

Not compliant with known standards. 


8Q2.il/HIPERLAN 

2 

Compliant with standards other than IEEE 
802.11/HlPERLAN. 



3 

Compliant with HDPERLAN only. 



4 

Compliant with IEEE 802.11 only. 

Hi 


5 

IEEE 802.11 and mP^LAN compliant. 

s 

System Management 

1 

Very difficult; requires continual contractor 
maintenance. 

m 

IS 


2 

Difficult; requires scheduled contractor 
maintenance. 

m 


3 

Moderate; requires some maintenance experience. 

M 


4 

Easy; maintenance experience not required. 

wM 


5 

“Hands-off”; system maintains itself during 
normal operation. 


Scalability/expandability 

1 

Not expandable after installation. 

M 

2 

Expandable, but very limited. 



3 

Expandable, but limited. 



4 

Easily expandable. 



5 

Unlimited expandability. 


Compatibility 

1 

Not compatible with any other vendor product. 


2 

Compatibility limited to unacceptable vendor 
products (IR, Narrowband). 



3 

Compatible with some vendor products. 

ki 


4 

Compatible with most acceptable vendor products. 

i,4i 


5 

Compatible with all analyzed products. 


Table 6: Vendor Topology Axis Criteria 


Each vendor topology is evaluated (Table 7) and results graphically displayed in 
Figures 26 and 27. 
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Axis Rating 



Meaning 


Is IEEE 802.11 and HIPERLAN compliant. 


Hardware installation difficulty is moderate, but software 
requires vendor configuration. _ 


Possesses multiple software peripherals requiring 
experienced management. 


Provides for adequate bit rate at 2 Mbps. 


Easily expandable using software/hardware from same 
manufacturer. _ 


Can be used in coq unction with other maniifacturers, but is 
not specifically designed for this. 


Is IEEE 802.11 and HIPERLAN compliant. 


Installation is “plug-and-play”. 


Some training involved for AP hopping pattern 
configuration. 


Provides a good bit rate at 3.2 Mbps. 


Expandable to 62 users with 15 ovalapping cells. 


Can be used in coq unction with other manufacturers, but is 
not specifically designed for this._ 


Is THEE 802.11 and HIPERLAN compliant. 


Directional antenna installation required. 


Settings are pre-configured. 


Provides a good bit rate at 3 2 Mbps. 


Limited to bridge routing between buildings. 


Can be used in coq unction with other WLAN 
manufacturers. 


Is IEEE 802.11 and HIPERLAN compliant. 


Directional antenna installation and configuration required. 


Some post installation maintenance required. 


Provides a good bit rate at 3.2 Mbps. 


Unlimited. 


Is designed for compatibility with other vendors. 


Table 7: Vendor Topology Evaluation 






































Figure 26: Vendor Topology Evaluation 



Figure 27: Best Vendor Topology (Jaguar) 
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2. Best Vendor Topology Analysis 


Each vendor topology has its strengths and weaknesses and can be used to meet 
^ecific needs, but Jaguar is the most balanced. It offers flexft>ility, expandability, and 
vendor compatibility. 

D. WLAN CASE STUDY: WIRED SEGMENT REPLACEMENT 

This case stu(fy evaluates security implications of incorporating wireless 
technology in a standard wired LAN at the Naval Postgraduate School (NFS) in 
Monterey, CA. The LANs physical and logical organization are discussed, then 
replacement of wired links with wireless is examined. The security effects of each 
substitution are investigated. 

Figure (28) shows the NPS Token Ring LAN architecture located in a classroom 
at Ingersoll Hall. It is hard wired to the larger campus backbone that provides both 
Internet and intercampus LAN access. There is a firewall between the campus backbone 
and the Internet, but not between the backbone and the LAN. Each LAN client runs 
Windows NT and commimicates with the server and other users via Multistation Access 
Units (MAUs). These client computers are assigned names (TN31, TN32, TN33, etc...) 
for physical identification during routine maintenance and repair by System 
Administrators. Administration is managed at the server, but a System Administrator can 
login using his accoxmt access fi'om any LAN client. Most applications are pre-loaded 
onto the individual terminals, but some are centrally stored on the server. 

Logical LAN organization uses domains to manage permission dat^ases, groups 
for assigning broad sets of permissions to multiple users, and user accounts to control 
security at each client. The domain is a logical arrangement of LAN hardware resources 
referenced by a specific name. It provides a single security permissions database used by 
all clients attached to it. Ingersoll’s LAN is a part of the ‘Systems Management’ domain. 
Groups are security entities within the domain that offer broad sets of permissions to 
users assigned to it. It allows System Administrators to control access to a large 
collection of users rather than assigning permissions to individual users. Users can be 
simultaneously assigned to more than one group. User accounts are referenced by user 
names and contain passwords, permissions, group associations, and user preferences. 

The physical and logical LAN organization are tied together when an authorized 
user logs into the system. The user can login to the network fi’om any client attached to 
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the Systems Management domain by providing their user name and password. This 
account information is passed to the server which authenticates the user. Once 
authenticated, the user becomes a part of the network and can use its resources. During 
this process users will see the domain that they are logging into, but their group 
association is transparent to them and pre-assigned by ^stem administrators. The server 
also has an optional guest account. This allows general access to resources and can only 
be enabled from an administrator account. IngersolTs LAN administrators have disabled 
this option, because it allows anyone to login to the network leaving the ^stem 
vulnerable to attack by malicious users. 

While attached to the network, users can share each others resources using the file 
transfer protocol (FTP). User “A” can make his workstation the FTP server while user 
“B” becomes the FTP client. Once “A” accepts ‘B” as an authorized client, the FTP 
application allows “B” to see and download files from “A”. 
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Figure 28: Ingersoll 224 Token Ring LAN 


Maintaining user mobility while retaining LAN connectivity is desired. 
Replacing wired LAN segments with wireless provides many alternatives for achieving 
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this mobility. Some options provide diversity as to where different portions of the LAN 
can be installed while maintaining a wireless connection to the network. Other options 
provide physical user mobility to the client. Eventually, although not presented here, 
users will be able to operate within one WLAN, logoff when complete, physically move 
their client to another WLAN in another location, and login without reconfiguring their 
computer. The user needs only to specify the new domain fi'om a drop-down menu and 
login using their account information. The RF transmission between the laptop and 
network AP would be decoded at the AP with the account information forwarded to the 
server for verification. With these options in mind, administrators may choose to deviate 
from standard wireless network architectures and create wired/wireless LAN hybrids. 
Possible wireless segmentation is discussed. 

1. Wireless Between User and Multistation Access Unit 

The replacement of wires between users and a MAU by wireless connections is 
evaluated first. The advantage of this architecture is that it permits some or all users to 
roam outside of the classroom while remaining connected. Figures (29) and (30) show 
this architecture. 


ingersoll 

Gateway 



Figure 29: Hard Wired LAN With Wireless Users 
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When logging into the network the user ensures that his drop down menu shows 
the domain name ‘^sterns Management’. After typing in his account information the 
user pushes “enter” and sends the data, via RF signal, to the receiving AP. The AP 
translates the signal back into binary code and forwards the request to the server. The 
server acknowledges receipt of the data, and either accepts or rgects the user. If 
authorized, the user j oins the network. User mobility is maintained without weakening 
access security. All communications between mobile units and network resources are 
still passed through MAUs. This configuration also uses fewer MAU ports, thus fi’eeing 
them for other devices. 

2. Wireless Between Servers and Multistation Access Units 

A topology in which wired connections between the server and MAUs are 
replaced with wireless technology is evaluated next. The advantage for this topology is 
that it allows a MAU and its attached clients to be placed in a room separate from the 
server while keeping a connection to the network. Figures (31) and (32) show this 
architecture. 



Figure 31: Hard Wired LAN With Wireless Connection 
Between Server and MAU 
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Figure 32: Wireless Between Server and Multistation Access Units 
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As in the previous example, security is not compromised, because access controls 
are still in place. Users must still login to the server and be granted access prior to 
entering the network. 

3. Wireless Between Multistation Access Units 

The benefits achieved by replacing wired connections between MAUs are few, 
but notable. Wireless connections between MAUs do not increase client physical 
mobility, but offer user virtual mobility. Connected users can logout, physically move to 
a different client in a different room, and login again resuming their connection to the 
network. Hardware expense is also saved, because wires don’t need to be installed 
between MAUs. User login procedures remain the same. Figure (33) shows this 
schematic. 
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4. Wireless Between Backbone and Ingersoll LAN 

Replacing the connection between the LAN and campus backbone with 
directional wireless antennas is evaluated next. There are cost savings in this case, 
because LANs are connected to the backbone without purchasing and installing wire. 
The firewall is still located between the backbone and the Internet, so overall security is 
not degraded. Access within the LAN is still handled by the server. One concern is the 
RF transmission being “in the open”. An attack in the preceding examples have to 
overcome physical obstructions such as walls and doors. The LAN-to-backbone wireless 
connection puts the signal outside of the building thus making it more susceptible to 
exploitation or interference, because an attacker need not worry about penetrating the 
building structure. Figures (34) and (35) show this architecture. 



Figure 34: Hard Wired LAN With Wireless Coimection to 
Campus Backbone 
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Figure 35: Wireless Between Backbone and Ingersoll LAN 


5. Summary 


Each configuration has its strengths and weaknesses. There is no single solution 
that is {^licable to all WLANs. Administrators must first determine their requirements 
and thea decide which segments to replace. For example, if all users are using desktop 
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computers in the same room, it makes no sense to install wireless segments between 
these users and the MAUs. Their compirters would become theoretically “mobile”, but 
their physical size and weight would keep them stationary. After determining LAN 
requirements, an administrator can choose from previously mentioned vendor topologies 
or develop a hybrid of his own. 

E. WIRELESS LAN CASE STUDY: WIRELESS SEGMENT ATTACKS 

Wireless segment replacement has its advantages, but it can also make the 
network vulnerable to attack. FHSS is indiscernible to unauthorized receivers, but a 
knowledgeable attacker who knows the hopping algorithm can decode the received 
signal. Additionally, an attacker can still disrupt the network without knowing any 
algorithms. In either case, the level of vulnerability depends on the network 
configuration. The following are methods that an attacker can use to exploit wireless 
segmentation. 


1. By-passing Access Controls; Frequency Hopping Algorithm Known 

WindowsNT 4.0 user groups control access to specific network resources. Figure 
(36) shows a poorly placed AP between the server and an extended resource such as a 
database located on another machine. The server authenticates users prior to granting 
access, but an attacking transceiver can transmit into the signal “cloud’ and gain access 
to the unprotected resource. The attacker can then enter the server spoofing the extended 
resource. If the server trusts the intruder, the attacker can control all services provided by 
the server and manipulate the network. Users can be fooled into sharing sensitive or 
classified information and may also unknowingly log-in directly to the attackers tystem 
via the server. Other unauthorized actions include; 
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Figure 36: By-passing Access Controls; Frequen<y Hopping algorithm 

ICnown 


















































a. Resource Exp loitation 


The attacker can obtain information from the server and use it to his 
advantage. He can download any personal information about users with authorized 
network access. 


b. Falsfy ing Irf ormation 

The attacker can transmit false information to authorized network users. 
This damages resource integrity and can lead to cascading problems as users apply or 
pass this information to other users. 

c. User Access Data 

The attacker can acquire group access data thereby gaining knowledge of 
which users have the fewest access restrictions. This helps the attacker focus future 
exploitation on specific users who have higher network privileges. 

2. Bypassing the Firewall; Frequency Hopping Algorithm Known 

Figure (37) shows a directional anteima placed between Ingersoll’s LAN and the 
campus backbone. BCnowing the frequenry hopping algorithms allows an unauthorized 
transceiver to intercept data transmissions between the backbone and LAN receiver. This 
effectively allows the attacker to bypass the firewall. Once inside the backbone, the 
attacker can potentially access all network servers within NFS. It can also receive and 
send data throu^ all connections accessed by Ingersoll’s LAN. 
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Figure 37: Intrusion Inside the Firewall; Frequency Hopping Algorithm 

Known 


3. Direct Connection to Wireless Users; Frequency Hopping Algorithm 

Known 

Figure (38) shows an unauthorized transceiver gaining direct access to wireless 
network users while circumventing both firewall and server access protection. This 
allows the attacker communication with users and possibly IP spoofing to implement a 
transitive trust attack. Using another user’s IP address the attacker fools an authorized 
user into logging into the attacking system by luring the victim into believing the attacker 
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is the server. This method also allows the attacker to trick the server into thinking that 
the intruder is a valid user. These attacks are initiated using a couple of techniques. 



Figure 38: Direct Connection to Wireless Users; Frequency Hopping 

Algorithm Known 
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a. 


Direct User Connection 


This method allows direct connection to users by “dialing” into their 
machines. With a spoofed IP address, the attacker sends a signal directly to the user 
requesting an FTP connection. After the unsuspecting user accepts the intruder as a 
fellow authorized user, the attacker has control of the user’s files. Subsequently, the 
attacker can use the compromised machine to gain access to server resources posing as 
the victim user. 

b. Indirect User Connection 

This requires the attacker to gain access to the server first and then 
communicate with a user while presenting himself as another valid network user. The 
initial RF signal is sent directly to the AP, is passed onto the server, and is accepted using 
a spoofed IP address. The attacker can then conununicate with any network user. The 
valid user doesn’t suspect the intrusion because it believes the attacker to be valid. 

4. IP Spoofing Between Multistation Access Units; Frequency Hopping 

Algorithm Known 

Figure (39) shows an attack on transmissions between MAUs. This doesn’t 
provide direct RF access to users or servers, but allows manipulation of data being passed 
between LAN portions. With enough illegally confiscated data, the attacker can initiate a 
number of attacks posing as other users. 
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Figure 39: IP Spoofing Between MAUs; Frequenty Hopping Algorithm 

Known 


5. Denial of Service; Frequency Hopping Algorithm Not Known 

Figure (40) shows transceivers attacking all wireless sections of the network. 
Without knowing the FHSS hopping algorithm, the attacks can transmit enough power to 
override authorized signals. This nullifies valid transmissions and renders the network 
physically useless for the duration of the attack. 
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Figure 40; Denial Of Service; Frequency Hopping Algorithm Not Known 


F. WIRELESS LAN CASE STUDY; DETECTING THE ATTACKER 

The previous examples show how an attacker can exploit the network. Detecting 
these attacks requires diligence and an understanding of how the network is mapped. 
Using WindowsNT 4.0 server manager a systems administrator can “see” all users who 
are online and which workstations they are using, but this doesn’t provide information 
about malicious attacks launched by wireless invaders from outside of the network. Two 
methods for detecting unauthorized wireless intrusions are; using software sniffers and 
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using hardware transmitter detectors. This section will provide a synopsis of possible 
ways to defeat attacks specific to wireless networks. It does not provide a survey of all 
tools available for this detection, but rather two possible technologies to combat such 
attacks. 


1. Software Sniffers 

Sniffers are more important to WLANs, because misuse of the network is easier. 
This is due to the fact that access to the transmission medium is not as physically 
controlled as it is in hard wired LANs. Intrusion detection, discussed in previous 
sections, uses software tools that look for irregular data packet transfers between nodes. 
This irregularity is determined by the type of attack being initiated. These applications 
may detect when an unauthorized user has hacked into the network. If the network sniffer 
detects an irregularly named user, then that user may be accessing the network in an 
unauthorized capacity. For example, users might be online using only three terminals, 
TN26, TN27, and BERTHA. Suppose that BERTHA is not a name assigned to any 
authorized workstation. The user may be using an authorized user name and password 
with an unauthorized workstation, or may have simply foimd a way to hack into the 
network using a spoofed user name and password. These conditions are the same for 
wired and wireless networks. The attacker must still access the LAN via an AP, so the 
network administrator can detect the intruder at this choke point. Then other methods 
specific to wireless can be employed to locate the attacking transmitter. 

2. Hardware Detector Detectors 

Locating an attacking transceiver can only begin after an ongoing attack has been 
detected. As described in the previous section, packet sniffing can be used to detect 
imauthorized activity on the LAN. To accomplish an attack the intruder has to be 
transmitting a signal into the LAN’s AP. Devices are available that can track the 
intensity of and the direction fi’om which a signal is generated. An attacker who is 
passively listening to data transmissions between mobile nodes and LAN APs can also be 
tracked. In order to receive and use an FHSS signal the attacker’s receiver must be 
receiving the signal at the same frequencies that the carrier signals are using. Once 
captured, the attacking receiver decodes the signal into usable data with an internal 
oscillator that tunes to the received signal frequency. This oscillation causes leakage 
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current detectable using inexpensive tracking receivers. These receivers may be large 
and very sensitive or small and dedicated to picking up leakage current from very small 
coverage areas. Such receivers can be created using equipment purchased from any 
electronics store. Once this frequency leak is detected, the direction from whence the 
attack is emanating is determined and the intruder can be located. These leakage 
detection receivers have been used by television movie subscription companies for over 
15 years to track unauthorized reception antennas mounted on homes and offices. They 
are not currently provided by makers of wireless products, but could be included in the 
arsenal of intrusion detection tools. 
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V. CONCLUSION 


Wireless LANs will eventually be a common alternative to the wired LAN. 
Wireless networking is a rapidly emerging technology and security must be addressed as 
it is incorporated into new and existing networks. What are the unique properties of 
wireless LANs that might amplify existing LAN vulnerabilities or introduce new ones? 
This study began with the review of available technologies. Wireless transmission 
techniques, topologies, and vendor offerings were surveyed from a security perspective. 
This information was graphically displayed using Kiviat drawings to show symmetric 
comparisons of each analysis category. FHSS transmission technology, cellular topology, 
and the Jaguar product emerged as the best approaches available. These results were 
applied to a case stucfy that examines network wired segment replacement options, 
wireless segment attacks, and methods to detect an attacker. 

Future wireless networks should provide ea^ connectivity between authorized 
clients and the network with which they are associated. These ^sterns must be built to 
be secure from the ground up. Pushing vulnerability mitigation to the final phases of 
development will leave security loopholes that are impossible to close. Hardware 
encryption/decryption devices are not used by most products, but software encryption 
exists in the form of transmission algorithms. Leakage current detectors, discussed in 
Chapter Four, should also be designed for WLAN system compatibility and then sold as 
an intrusion detection tool. This would alleviate problems associated with the passive 
attacker who uses a receiver to intrude on a WLAN. 

Wireless replacement segments for wired networks are recommended where user 
mobility is desired, ^stem administrators have many technology options from which to 
choose. With a solid knowledge of available technologies and topologies, suitable 
vendors can be chosen to provide the right equipment to meet the WLAN needs for any 
organization. Current standards offer guidance that show how wireless technologies 
operate, but do not relate to quality LAN design. 

The analysis provided in this paper is one approach to quantifying technology and 
product advantages. These metrics are imiversal in their application and can be tailored 
to measure the strengths and weaknesses of various wireless networking components. 
With proper planning and sensible decisions, a WLAN administrator can successfully 
introduce wireless technology to a LAN while maintaining its previous level of security. 
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APPENDIX A. ABBREVIATIONS 


AP - Access Point 

ATM - A^chronous Transfer Mode 
BER - Bit Error Rate 
bps - bits per second 

BSS - Basic Service Set; A set of stations communication wirelessly on the same channel 
in the same area, (in IEEE 802.11) 

CA - Certificate Authority 

CAC - Channel Access Control (in HIPERLAN) 

CAM - Channel Access Mechanism (in HIPERLAN) 

ESS - Extended Service Set; A set of B SSs and wired LANs with Access Points that 
appear as a single logical BSS. (in IEEE 802.11) 

ETR - ETSI Technical Report 

ETSI - European Telecommxmications Standards Institute 

GSM - Global l^stem for Mobile communications 

HIPERLAN - High PErformance Radio Local Area Network 

HM-entily - HIPERLAN MAC entity 

ICV - Integrity Check Vector 

IEEE - Institute of Electrical and Electronics Engineers 

ISO - International Standard Organization 

rv - Initialization Vector 

LAN - Local Area Network 

MAC - Medium Access Control 

MPDU - MAC Protocol Data Unit 

PEM - Privacy Enhanced Mail 

PHY - Physical layer 

PRNG - Pseudo Random Number Generator 

SECCS - Shared Key Cryptography ^stem 

UMTS - Universal Mobile Telecommunications System 

WEP - Wired Equivalent Privacy 
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APPENDIX B. DEFINITIONS 


Ad-hoc: In ad-hoc configuration the wireless LAN has no fixed components 
Authentication: The identification of the parties base Usually fixed base station of the 
wireless LAN, sometimes referred as Access Point 
Cipher text: The data after ciphering confidentiality Only intended parties can access the 
data 

Coverage: The area where the transmission of the node can be heard 

Denial of service: An attack preventing the system from being used 

Eavesdropping: Capturing the data by an unintended party 

End-to-end: From the sending node to the intended receiver 

Integrity: The message can not be modified or replaced by unintended parties 

Key management: The policy to distribute and save the private and public keys 

Plain text: The data to be send before ciphered 

Pre-arranged: In pre-arranged configuration the wireless LAN has some fixed 
components, like bases 

Private key: A sensitive key that must not be compromised 

Public key: A non-sensitive that can be published 

Shared k^: A secret k^r common to many users or network nodes 

Station-to-station: From one node to the next one in the network 

Transitive trust: An attack exploiting the host-host or network-network trust 
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APPENDIX C. OSI MODEL LAYERS 
OSI Layer Function Provided 


Application 


Network applications such as file transfer and terminal emulation 

Presentation 


Data formatting and encryption 

Session 


Establishment and maintenance of sessions 

Transport 


Provision for end-to-end reliable and unreliable delivery 

Network 


Delivery of packets of information, which includes routing 

Data Link 


Transfer of units of information, framing, and error checking 

Physical 


Transmission of binary data of a medium 
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